When the Pentagon wanted to understand how the Soviets might launch an attack against the United States during the Cold War, it created a secret team to think like its adversaries. This approach evolved into a powerful cybersecurity practice called red teaming.
In a red team engagement, an organization tasks a group of security professionals (the “Red Team”) with carrying out a simulated attack against its technology, people, and processes, while the Blue Team covertly defends against attacks from the Red Team. Regardless of the setup, this approach delivers results—Forrester estimates that Red Team testing results in a 25% reduction in security incidents and a 35% reduction in the cost of security incidents.
What makes red teaming so effective is that it requires thinking from an attacker’s perspective. By adopting this adversarial mindset, organizations can improve their security postures by identifying vulnerabilities and gaps that traditional security testing might miss. In this blog post, we’ll explore the psychological principles behind this adversarial approach and how organizations can adopt them to elevate their security postures.
The adversarial mindset is the foundation of effective red teaming, combining strategic thinking with tactical creativity. We’ve condensed this approach into four key principles that show up in each Red Team exercise. Let’s break them down:
Red teaming exercises begin with establishing clear objectives and success criteria, which are shaped by the specific attacker profile an organization wants to simulate. Understanding this profile is critical, as it reveals the attacker’s motivations and helps predict the likely shape and methods of an attack. Attacker motivations could be ideological, geopolitical, financial, or even cultural.
For example, if you’re a large financial services organization, you might be worried about financially motivated attackers. Therefore, Red Teamers might prioritize attacking payment processing systems or stealing customer financial data. However, suppose you have determined that your potential attackers seek notoriety. In this case, Red Teamers might target public-facing assets that will generate the most publicity when compromised (e.g., your website).
In the real world, attackers are willing to use any means to achieve their goals, even if these involve deceiving people or compromising an organization’s physical space. This is reflected in the statistics—90% of the cybersecurity attacks that occurred in Q1 2024 involved some kind of social engineering.
Red teaming considers this by adding people and processes to an exercise’s scope and leveraging trust, fear, and curiosity to manipulate employees into foregoing security protocols. For example, red teamers might use social engineering tactics like phishing emails, pretexting calls (aka vishing), and baiting to exploit employees into revealing confidential information. Organizations need to consider and secure non-technology factors to safeguard their critical assets.
Threat actors are the ultimate problem-solvers, combining creative and unconventional strategies to achieve their goals. During the initial threat modeling and reconnaissance phase, attackers use various tools to gather information on their targets, from public tools like GitHub and LinkedIn to specialized tools like sites on the dark web and Shodan (a search engine for internet-connected devices and services).
This comprehensive research helps them identify potential avenues for attack and determine how to maximize impact through single exploits or complex attack chains. Unlike traditional security methods that examine vulnerabilities in isolation, attackers view a target holistically, resulting in a more complete picture of its vulnerabilities.
Attackers are relentless in pursuing their goals; they wait secretly and patiently for months to find the right opportunity to strike. Red team assessments are designed with this principle in mind, often ranging from several weeks to months to complete properly. This extended time frame allows Red Teamers to methodically refine and iterate their tactics to maximize potential damage, accurately simulating real attackers’ behaviors. Additionally, it enables Red Teams to respond to Blue Team countermeasures, just as actual attackers would adjust their strategies when faced with resistance. This also mirrors the real-world attacker mindset: an unwavering determination to do whatever it takes to achieve the relevant goals.
Let’s put these principles into action through a hypothetical case study where a “Red Team” is hired to simulate an attack against a SaaS platform. Here’s how the exercise might unfold:
Once the exercise is complete, the organization will better understand how a threat actor might compromise their systems, who they would target, and what parts of the system need work (e.g., detection, prevention, response, and recovery). Using these insights, the organization can patch up their weaknesses and strengthen their security posture.
An organization’s security strategy should never be static—it must evolve dynamically based on the organization’s risk tolerance to an evolving threat environment. For organizations comfortable with higher risk, traditional security measures like pen testing might be sufficient. However, for organizations with a low risk appetite, an adversarial mindset can significantly beef up their security strategies. This mindset lets them view their organizations through an attacker’s lens, understanding their motivations and capabilities. With this insight, they can protect critical assets by thwarting attacks before they occur.
Organizations can gradually incorporate this adversarial approach. For example, if you’re just getting started, consider examining known vulnerabilities through an adversarial lens. Ask yourself, “What are the motivations of an attacker that might exploit this vulnerability?” or “How can an attacker utilize this vulnerability alongside others to achieve their goals?” More mature organizations often hire third-party specialists to perform regular red teaming exercises. These assessments reveal an organization’s various attack scenarios and highlight specific areas needing improvement—whether in prevention, detection, response, or recovery.
In a world of evolving threats, the adversarial mindset isn’t just a security tool—it’s a competitive advantage. By thinking like attackers, organizations can anticipate their tactics and build more effective defenses. As Sun Tzu wisely noted in The Art of War, “Know the enemy and know yourself in a hundred battles, and you will never be in peril.”